When a client device visits a website, the website can transmit small packets of data to the client device. The small packets of data can include preferences, session information, or information to be used to authenticate and maintain a session between the client device and the device hosting the website. The data stored in the client device by the website can be stored indefinitely or can be purged at regular intervals. In some implementations, to prevent malicious attacks known as cross-site or cross-domain attacks or undesired behavior, web browsers can prevent domains from accessing the data of other domains or from storing data on the client device when the client device is not in an active session with the domain.